diff options
Diffstat (limited to 'terraform/networking.tf')
-rw-r--r-- | terraform/networking.tf | 211 |
1 files changed, 211 insertions, 0 deletions
diff --git a/terraform/networking.tf b/terraform/networking.tf new file mode 100644 index 00000000..3293c8c8 --- /dev/null +++ b/terraform/networking.tf @@ -0,0 +1,211 @@ +resource "openstack_networking_network_v2" "baserock_network" { + name = "Baserock Network" + admin_state_up = "true" +} + +resource "openstack_networking_subnet_v2" "baserock_subnet" { + name = "Baserock Subnet" + network_id = "${openstack_networking_network_v2.baserock_network.id}" + cidr = "10.3.0.0/24" + ip_version = 4 +} + + +data "openstack_networking_network_v2" "external_network" { + name = "ext-net" +} + +resource "openstack_networking_router_v2" "baserock_router" { + name = "Baserock Router" + admin_state_up = true + external_network_id = data.openstack_networking_network_v2.external_network.id +} + +resource "openstack_networking_router_interface_v2" "baserock_router_interface" { + router_id = "${openstack_networking_router_v2.baserock_router.id}" + subnet_id = "${openstack_networking_subnet_v2.baserock_subnet.id}" +} + +# Security groups + +resource "openstack_networking_secgroup_v2" "sg_base" { + name = "base" + description = "Allow all outgoing traffic, and allow incoming ICMP (ping) and SSH connections" + delete_default_rules = "true" +} + +resource "openstack_networking_secgroup_rule_v2" "sg_base_egress_icmp" { + direction = "egress" + ethertype = "IPv4" + protocol = "icmp" + remote_ip_prefix = "0.0.0.0/0" + security_group_id = "${openstack_networking_secgroup_v2.sg_base.id}" +} + +resource "openstack_networking_secgroup_rule_v2" "sg_base_egress_any" { + direction = "egress" + ethertype = "IPv4" + remote_ip_prefix = "0.0.0.0/0" + security_group_id = "${openstack_networking_secgroup_v2.sg_base.id}" +} + +resource "openstack_networking_secgroup_rule_v2" "sg_base_egress_any_v6" { + direction = "egress" + ethertype = "IPv6" + remote_ip_prefix = "::/0" + security_group_id = "${openstack_networking_secgroup_v2.sg_base.id}" +} + +resource "openstack_networking_secgroup_rule_v2" "sg_base_ingress_icmp" { + direction = "ingress" + ethertype = "IPv4" + protocol = "icmp" + remote_ip_prefix = "0.0.0.0/0" + security_group_id = "${openstack_networking_secgroup_v2.sg_base.id}" +} + + +resource "openstack_networking_secgroup_rule_v2" "sg_base_ingress_ssh" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 22 + port_range_max = 22 + remote_ip_prefix = "0.0.0.0/0" + security_group_id = "${openstack_networking_secgroup_v2.sg_base.id}" +} + + + +resource "openstack_networking_secgroup_v2" "sg_haste_server" { + name = "haste-server" + description = "Allow incoming TCP requests for haste server" + delete_default_rules = "true" +} + +resource "openstack_networking_secgroup_rule_v2" "sg_haste_server_main" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 7777 + port_range_max = 7777 + remote_ip_prefix = "0.0.0.0/0" + security_group_id = "${openstack_networking_secgroup_v2.sg_haste_server.id}" +} + +resource "openstack_networking_secgroup_v2" "sg_gitlab_bot" { + name = "gitlab-bot" + description = "Allow incoming TCP requests for gitlab-bot" + delete_default_rules = "true" +} + + +resource "openstack_networking_secgroup_rule_v2" "sg_gitlab_bot_main" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 1337 + port_range_max = 1337 + remote_ip_prefix = "0.0.0.0/0" + security_group_id = "${openstack_networking_secgroup_v2.sg_gitlab_bot.id}" +} + + +resource "openstack_networking_secgroup_v2" "sg_git_server" { + name = "git-server" + description = "Allow inbound SSH, HTTP, HTTPS and Git requests." + delete_default_rules = "true" +} + +resource "openstack_networking_secgroup_rule_v2" "sg_git_server_http" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 80 + port_range_max = 80 + remote_ip_prefix = "0.0.0.0/0" + security_group_id = "${openstack_networking_secgroup_v2.sg_git_server.id}" +} + +resource "openstack_networking_secgroup_rule_v2" "sg_git_server_https" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 443 + port_range_max = 443 + remote_ip_prefix = "0.0.0.0/0" + security_group_id = "${openstack_networking_secgroup_v2.sg_git_server.id}" +} + +resource "openstack_networking_secgroup_rule_v2" "sg_git_server_git" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 9418 + port_range_max = 9418 + remote_ip_prefix = "0.0.0.0/0" + security_group_id = "${openstack_networking_secgroup_v2.sg_git_server.id}" +} + + + +resource "openstack_networking_secgroup_v2" "sg_shared_artifact_cache" { + name = "shared-artifact-cache" + description = "Allow inbound HTTP, HTTPS and ostree-over-SSH (which I've assigned to port 22200)" + delete_default_rules = "true" +} + +resource "openstack_networking_secgroup_rule_v2" "sg_shared_artifact_cache_http" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 80 + port_range_max = 80 + remote_ip_prefix = "0.0.0.0/0" + security_group_id = "${openstack_networking_secgroup_v2.sg_shared_artifact_cache.id}" +} +resource "openstack_networking_secgroup_rule_v2" "sg_shared_artifact_cache_https" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 443 + port_range_max = 443 + remote_ip_prefix = "0.0.0.0/0" + security_group_id = "${openstack_networking_secgroup_v2.sg_shared_artifact_cache.id}" +} +resource "openstack_networking_secgroup_rule_v2" "sg_shared_artifact_cache_ssh" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 22200 + port_range_max = 22200 + remote_ip_prefix = "0.0.0.0/0" + security_group_id = "${openstack_networking_secgroup_v2.sg_shared_artifact_cache.id}" +} + + +resource "openstack_networking_secgroup_v2" "sg_web_server" { + name = "web-server" + description = "Allow inbound HTTP, HTTPS and ostree-over-SSH (which I've assigned to port 22200)" + delete_default_rules = "true" +} + + +resource "openstack_networking_secgroup_rule_v2" "sg_web_server_http" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 80 + port_range_max = 80 + remote_ip_prefix = "0.0.0.0/0" + security_group_id = "${openstack_networking_secgroup_v2.sg_web_server.id}" +} +resource "openstack_networking_secgroup_rule_v2" "sg_web_server_https" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 443 + port_range_max = 443 + remote_ip_prefix = "0.0.0.0/0" + security_group_id = "${openstack_networking_secgroup_v2.sg_web_server.id}" +} |